On the 25th anniversary of the first computer virus, a pair of computer …

Some birthdays just aren't happy events. Scienceis noting the 25th birthday of the first documented instance of malware. The magazine uses the occasion as an opportunity to both track the evolution of the virus and its relatives (trojans, rootkits, etc.) and discuss why the problem is likely to still be plaguing us when the 50th anniversary rolls around.

Most of us were first exposed to the concept of malware with the arrival of the Morris Worm in 1988, which spread worldwide through the Internet, which existed primarily as an academic resource at the time. But the authors note that the Morris Worm was a relative latecomer. 1982 saw the first computer virus, Elk Cloner, the product of a Pittsburgh high school student that spread through Apple II systems via infected floppy disks.

Elk Cloner's payload was simply the display of some bad poetry. This set the standard for the first decade or more of malware, which focused primarily on annoying users with graphical displays or threats of damage their computer. The authors of the tribute note that this trend hasn't held; malware has become big business for both the offensive and defensive players. There is now both a multibillion-dollar antivirus industry, and its fight has become one largely against for-profit malware writers. Those coders now focus on keeping their viruses operating stealthily, so that they can continue to spew spam or extract financial information from unsuspecting users.

A happy and healthy malware industry

The authors note a number of trends that they expect will keep the malware industry happy and healthy for the foreseeable future. The first is simply the problem of eradicating it; the authors suggest that malware detection is an example of the "halting problem," as defined by Turing. A perfectly accurate detection program will never complete, while any approximations that finish scanning will necessarily suffer from a combination of false positives and missed malware. They're also not impressed with platform diversity as a solution, calling it a "double edged sword." Although it ensures that at least some computers will remain functional in the face of a malware attack, it also increases what they term the "attack surface": the more operating systems, the more likely that an attacker will find one with a vulnerability.

But the authors view two basic reasons as being the keys to a continued plague of malware. The first is one most of us are all too familiar with: user stupidity. As they put it, "there is no obvious 'fix' for human nature," a view they support by noting one case of "malware" that was nothing more than an e-mail message that encouraged users to cripple their computers by deleting an essential file.

But the biggest problems that the authors expect in the future comes from the increased sophistication that we expect not only from computers but from all of our electronic devices. They state that, "there is one basic fact in security: The more functionality, the more opportunities a developer has to make a mistake." This has left operating systems vulnerable in part due to the many programs that run on top of them, but it poses an even greater risk as more gadgets gain both connectivity and software sophistication. They suggest that the existence of proof-of-concept cellphone viruses is an indication that the first phone malware is imminent. They also expect that the threat will spread to other devices as PDAs, music players, and even appliances gain connectivity and software complexity.

It's hard to argue with much of their analysis, but there's one aspect of the problem that appears to have been left out. Our primary response to existing malware is software that both relies on user intervention and a dictionary of suspicious code. This raises a question of timing: it's possible that our increasingly sophisticated electronics devices will gain the capacity to host malware before they are able to support antiviral software. It seems likely that such a risk is more severe in cases where either the device makers or service providers lock the user out of full control over the device; malware writers won't face the same constraints.

Given the expectations and expertise of existing malware writers, it seems unlikely that we'll have the luxury of a gentle decade characterized by innocuous payloads of vulgar messages and bad poetry before we have to adjust to the dangers of viruses on platforms beyond the PC. Given the expectations of the authors of the perspective in Science, it might be a good idea to start making sure we can cope with the inevitable when it arrives.